Bug #5939
closed
webgui login denied with message 'An HTTP_REFERER was detected other than what is defined in System'
0%
Description
I sometimes get the following 'error' when trying to login to the webgui. (Today after performing a firmware upgrade to currentversion, comming from snapshot version of +-10 days old..) But ive seen it happen also after a regular reboot sometimes..(with 2.2.x also..)
Currently running: 2.3-BETA (amd64) built on Sat Feb 27 13:27:14 CST 2016 FreeBSD 10.3-BETA2
An HTTP_REFERER was detected other than what is defined in System -> Advanced (https://192.168.0.133:444/). You can disable this check if needed in System -> Advanced -> Admin.
.133 is the ip assigned by dhcp, which i normally use to access the webgui
.222 a virtualip of type alias
.111 is a carp-ip
In ifconfig output below it can be seen that the ipalias is configured 'first', but that should imho not cause the configured interface-ip to reject login attempts..
[2.3-BETA][root@pfSense.localdomain]/root: ifconfig em0
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:e0:ed:8a
inet6 fe80::a00:27ff:fee0:ed8a%em0 prefixlen 64 scopeid 0x1
inet6 2001:470:XX:XX::10 prefixlen 64
inet 192.168.0.222 netmask 0xffffff00 broadcast 192.168.0.255
inet 192.168.0.133 netmask 0xffffff00 broadcast 192.168.0.255
inet 192.168.0.111 netmask 0xffffff00 broadcast 192.168.0.255 vhid 1
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
carp: MASTER vhid 1 advbase 10 advskew 254
It might be that its related to my weird test environment with mixed dhcp and static ips on the same subnet.. But still i think all ip's on 'this-firewall' should be allowed to use for the webgui referer check.. Or at least that interface-ip which is supposedly configured 'on' the interface. As you can see the order changed, but that should be irrelevant..
[2.3-BETA][root@pfSense.localdomain]/root: ifconfig em0
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:e0:ed:8a
inet6 fe80::a00:27ff:fee0:ed8a%em0 prefixlen 64 scopeid 0x1
inet 192.168.0.133 netmask 0xffffff00 broadcast 192.168.0.255
inet6 2001:470:XX:XX::10 prefixlen 64
inet 192.168.0.111 netmask 0xffffff00 broadcast 192.168.0.255 vhid 1
inet 192.168.0.222 netmask 0xffffff00 broadcast 192.168.0.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
carp: MASTER vhid 1 advbase 10 advskew 254
Updated by Chris Buechler almost 10 years ago
- Affected Version changed from 2.3 to All
I'm guessing there's a good chance this was fixed in recent work in that area with VIPs. You still see this happening on latest 2.3?
Updated by Pi Ba almost 10 years ago
I haven't seen it in a while, so we could assume its fixed. No guarantee's there though, behavior has always been like that its working fine for a longer time and than after some random reboot or VM resume (i used to see most occurrences on my test virtualbox machine. but have seen it on my production ESXi VM as well), it would suddenly switch the order of 2 ips and make the referer check fail.
For now, lets set it to fixed. Ill open a new issue if i see it again.
Updated by Chris Buechler almost 10 years ago
- Status changed from New to Resolved